[PATCH 0/3] Allow use of external scripts to sign modules

[PATCH 0/3] Allow use of external scripts to sign modules

['Gokhan Cetin' via isar-users]

Considering the comments from https://groups.google.com/g/isar-users/c/qmVCSWlpTeU

Gokhan Cetin (3):
  meta/recipes-kernel/linux-module: Allow use of external scripts to
    sign modules
  module-signer-example: add example signer hook and signed variant for
    example-module
  doc/user_manual: describe module signing and custom signer hooks

 doc/user_manual.md                            | 24 +++++++++++
 .../files/sign-module.sh                      | 40 +++++++++++++++++++
 .../module-signer-example.bb                  | 20 ++++++++++
 .../example-module-signedwith.bb              | 15 +++++++
 .../linux-module/files/debian/rules.tmpl      |  4 ++
 meta/recipes-kernel/linux-module/module.inc   |  2 +
 6 files changed, 105 insertions(+)
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
 create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb

-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-1-gokhan.cetin%40siemens.com.

[PATCH 1/3] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules

['Gokhan Cetin' via isar-users]

This facilitates the integration of scripts developed for signing solutions like HSM
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
 meta/recipes-kernel/linux-module/module.inc              | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
 ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
 	find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
 endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+	find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+	find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
 
 override_dh_auto_install:
 	$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
 SIGNATURE_KEYFILE ??= ""
 SIGNATURE_CERTFILE ??= ""
 SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
 
 SRC_URI += "file://debian/"
 
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
     SIGNATURE_KEYFILE \
     SIGNATURE_CERTFILE \
     SIGNATURE_HASHFN \
+    SIGNATURE_SIGNWITH \
     PN \
     DEBIAN_COMPAT"
 
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-2-gokhan.cetin%40siemens.com.

[PATCH 2/3] module-signer-example: add example signer hook and signed variant for example-module

['Gokhan Cetin' via isar-users]

This patch introduces an example signer hook that generates raw detached signatures
for out-of-tree kernel modules.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 .../files/sign-module.sh                      | 40 +++++++++++++++++++
 .../module-signer-example.bb                  | 20 ++++++++++
 .../example-module-signedwith.bb              | 15 +++++++
 3 files changed, 75 insertions(+)
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
 create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb

diff --git a/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
new file mode 100644
index 00000000..4d22532b
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Example signer script that generates detached signatures for modules
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+module=$1
+signature=$2
+hashfn=$3
+certfile=$4
+
+if [ -z "$module" ] || [ -z "$signature" ] || [ -z "$hashfn" ] || [ -z "$certfile" ] ; then
+    exit 1
+fi
+
+echo "Signing module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -sign -nocerts -noattr -binary \
+    -in "$module" \
+    -md "$hashfn" \
+    -inkey /etc/sb-mok-keys/MOK/MOK.priv \
+    -signer /etc/sb-mok-keys/MOK/MOK.der \
+    -outform DER \
+    -out "$signature"
+
+echo "Verifying signature of module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -verify \
+    -in "$signature" \
+    -md "$hashfn" \
+    -content "$module" \
+    -certfile /etc/sb-mok-keys/MOK/MOK.der \
+    -noverify \
+    -inform DER \
+    -out /dev/null
diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
new file mode 100644
index 00000000..001e8cc8
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -0,0 +1,20 @@
+# Example recipe for signing a kernel module with custom signer script
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+DPKG_ARCH = "all"
+
+DEPENDS = "sb-mok-keys"
+DEBIAN_DEPENDS += "openssl, sb-mok-keys"
+
+SRC_URI = "file://sign-module.sh"
+
+do_install[cleandirs] = "${D}/usr/bin/"
+do_install() {
+    install -m 0755 ${WORKDIR}/sign-module.sh ${D}/usr/bin/sign-module.sh
+}
diff --git a/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
new file mode 100644
index 00000000..f611169c
--- /dev/null
+++ b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
@@ -0,0 +1,15 @@
+# Example recipe for building a custom module
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+require example-module.bb
+
+DEPENDS += "module-signer-example"
+DEBIAN_BUILD_DEPENDS .= ', module-signer-example'
+
+DEB_BUILD_PROFILES += 'pkg.signwith'
+SIGNATURE_CERTFILE = '/etc/sb-mok-keys/MOK/MOK.der'
+SIGNATURE_SIGNWITH = '/usr/bin/sign-module.sh'
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-3-gokhan.cetin%40siemens.com.

[PATCH 3/3] doc/user_manual: describe module signing and custom signer hooks

['Gokhan Cetin' via isar-users]

Mentions why kernel module signing is needed and how to implement.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 doc/user_manual.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index 62d16c8c..477070d1 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1133,6 +1133,30 @@ Use the previously definded password to enroll the key, then reboot.
 
 Now the image should be up again and `modprobe example-module` should work.
 
+**Sign kernel modules with custom signer hooks**
+
+The kernel module signing process establishes a chain of trust from the kernel to the modules, ensuring that
+all components of the system are from trusted sources. If Secure Boot is enabled or the module signing
+facility is enabled by kernel configuration or via `module.sig_enforce` kernel parameter, the kernel checks
+the signature of the modules against the public keys from kernel system keyring and kernel platform keyring.
+
+Please note that if the certificates you use to sign modules are not included in one of these keyrings or are
+blacklisted, the signature will be rejected and the module will not be loaded by the kernel.
+
+Many regulatory standards and compliance frameworks require the use of signing methods that are
+designed to protect cryptographic keys and signing operations to ensure a high level of security.
+
+In order to use solutions like Hardware Security Module (HSM) or server-side signing, which
+are usually made available via a client, an API endpoint or a plug-in, for signing kernel modules,
+Isar provides a build profile called `pkg.signwith` for kernel module recipes.
+
+To provide a signer script that implements your custom signing solution, `SIGNATURE_SIGNWITH` variable 
+can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
+certificate path of the signer.
+
+Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
+`example-module-signedwith` recipe.
+
 ### Cross Support for Imagers
 
 If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-4-gokhan.cetin%40siemens.com.

Re: [PATCH 0/3] Allow use of external scripts to sign modules

['MOESSBAUER, Felix' via isar-users]

On Thu, 2025-01-23 at 15:51 +0100, Gokhan Cetin wrote:
> Considering the comments from
> https://groups.google.com/g/isar-users/c/qmVCSWlpTeU

Hi,

this is actually the v2 of the "Allow use of external scripts to sign
modules" series. Code wise it looks fine. In case a v3 should be
required, please generate the patches with "git format-patch --subject-
prefix='PATCH v3' ...".

Acked-by: Felix Moessbauer <felix.moessbauer@siemens.com>

Felix

> 
> Gokhan Cetin (3):
>   meta/recipes-kernel/linux-module: Allow use of external scripts to
>     sign modules
>   module-signer-example: add example signer hook and signed variant
> for
>     example-module
>   doc/user_manual: describe module signing and custom signer hooks
> 
>  doc/user_manual.md                            | 24 +++++++++++
>  .../files/sign-module.sh                      | 40
> +++++++++++++++++++
>  .../module-signer-example.bb                  | 20 ++++++++++
>  .../example-module-signedwith.bb              | 15 +++++++
>  .../linux-module/files/debian/rules.tmpl      |  4 ++
>  meta/recipes-kernel/linux-module/module.inc   |  2 +
>  6 files changed, 105 insertions(+)
>  create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/files/sign-module.sh
>  create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/module-signer-example.bb
>  create mode 100644 meta-isar/recipes-kernel/example-module/example-
> module-signedwith.bb
> 

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany


-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/afce0909de786c892de498f49d02211d0bb4420c.camel%40siemens.com.

Re: [PATCH 0/3] Allow use of external scripts to sign modules

[Uladzimir Bely]

On Thu, 2025-01-23 at 15:51 +0100, 'Gokhan Cetin' via isar-users wrote:
> Considering the comments from
> https://groups.google.com/g/isar-users/c/qmVCSWlpTeU
> 
> Gokhan Cetin (3):
>   meta/recipes-kernel/linux-module: Allow use of external scripts to
>     sign modules
>   module-signer-example: add example signer hook and signed variant
> for
>     example-module
>   doc/user_manual: describe module signing and custom signer hooks
> 
>  doc/user_manual.md                            | 24 +++++++++++
>  .../files/sign-module.sh                      | 40
> +++++++++++++++++++
>  .../module-signer-example.bb                  | 20 ++++++++++
>  .../example-module-signedwith.bb              | 15 +++++++
>  .../linux-module/files/debian/rules.tmpl      |  4 ++
>  meta/recipes-kernel/linux-module/module.inc   |  2 +
>  6 files changed, 105 insertions(+)
>  create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/files/sign-module.sh
>  create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/module-signer-example.bb
>  create mode 100644 meta-isar/recipes-kernel/example-module/example-
> module-signedwith.bb
> 
> -- 
> 2.39.2
> 

Applied to next, thanks.

-- 
Best regards,
Uladzimir.



-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/4b45c8f32641bca9971bb4bd734fa0e7c6235b0a.camel%40ilbers.de.